Mandatory mask-wearing and record-keeping

The Covid-19 pandemic has been a challenging time for the people of New Zealand, and the measures taken to combat it have had a significant impact on our usual freedoms. We have analysed a number of actions taken by the government to fight the pandemic. While we’ve often found room for improvement, we have generally found them to be proportionate and able to be justified in a free and democratic society.

The latest development is that the government has issued a new Public Health Order that tightens up the requirements and enforcement around both mask-wearing and record-keeping for the purpose of contact-tracing. 

Mask wearing

It is clear that the increased understanding about how Covid-19 is spread through the air, and the greater infectiousness of the Delta variant of Covid-19, provide ample explanation for the changes in mask-wearing rules. While masks are uncomfortable they are a minor imposition on our rights and can be justified by expert medical advice. However there are still issues around how this will be enforced, particularly in such a way that won’t penalise those who have a genuine medical reason for not wearing them. Additional clarification on this from the government would be welcome.

Scanning and record-keeping

The government has already pushed quite strongly for people to keep records of their movements in order to help contact-tracers suppress outbreaks. Since the launch of the Covid Tracer app for smartphones, emphasis has been placed on this method. However, it is also clear that many people are not able to use the app to scan QR codes (some because they do not have a modern smartphone or for disability reasons) or are choosing not to do so. This has resulted in approximately only 10% of the population scanning the QR codes on a regular basis.

The government’s new Public Health Order will make record-keeping (either on paper or using an app) mandatory at busy places and large gatherings. The actual details of this are a bit fuzzy with more clarity needed about where it will be mandatory and how it will be enforced. For example, the reason for excluding places such as supermarkets, petrol and travel stations is unclear.

We have a strong preference for these types of measures to be voluntary and for compliance with them to be achieved by persuasion. We are particularly sensitive to the power imbalance issues around tracking the activities and locations of people going about their regular business, seeing it as an invasion of privacy and a powerful tool for control. 

However the current goal of eliminating community transmission of Covid-19 requires good contact-tracing. The Delta variant of Covid-19 in fact requires quicker contact-tracing than before, since it spreads between people much more easily than the earlier versions of the virus. This means we reluctantly accept that it may be necessary to use a mandate to achieve the necessary level of record-keeping to enable swift contact-tracing. However, we believe that more clarity around how this will work is necessary.

This leads us to the point that we have consistently argued, that any special powers or limitations needed for pandemic control must be explicitly restricted to only being used for that purpose. To leave open the possibility of allowing them to be used for any other purpose has two key problems. First, it means that the chance of them being revoked in the future will be a lot lower, making these infringements on our liberties permanent. Second, the effectiveness of the measures relies upon public compliance with them, which in turn fundamentally relies on the public trusting the state not to abuse the powers granted; if people feel this trust has been abused, compliance is likely to drop, harming the ability to achieve the public health goals used to justify the powers in the first place.

Insufficient privacy protection

The government has not done a good enough job of assuring us that information collected for the purpose of contact-tracing will only be used for this public health purpose. It is important here to distinguish between the data collected on a person’s phone using the Covid Tracer or Rippl apps for scanning QR codes, when that data is voluntarily provided to a contact tracer, and the information collected on paper at places people visit.

The technical underpinnings of the Covid Tracer and Rippl apps are well designed to protect privacy; the location data the apps gather when used to scan a QR code stays on the smartphone. It is not uploaded to a government database unless you choose to send it to a contact tracer in the event that you are a contact of someone infected with the virus. 

The same protection cannot be said to exist for paper registers. The information provided by people who sign a contact tracing register at a place they visit is kept by the place they visited. Since this information is your name and either an email address or phone number, it is valuable to companies seeking to build their marketing database. While this would be contrary to the Privacy Act, we don’t believe this is sufficient disincentive. Sign-in registers are also open to abuse for other reasons including harassment. Information on paper at businesses is also much easier for the police to access if they visit one of these locations while conducting an investigation completely unrelated to the pandemic. 

There are two ways we think the Health Order should be amended to address this. The first is to prohibit open sign-in registers and instead require businesses to collect the information by people providing their contact details on a slip of paper that they drop into a box (like voting papers into a ballot box). As Dr Andrew Chen has written, businesses “can then clear the box once a day, putting the slips of paper into a bag with the date on it in case they are needed by contact tracers later on”. The second is that the Health Order only requires the business to ‘dispose of’ the contact information after 60 days, not to destroy it. This may seem like a minor point, but the Public Records Act (while not applying to private sector businesses in most instances) states that ‘disposal’ of a record can include transfer of control of the record to another organisation, or sale, alteration or discharge of the record, as well as its destruction. If the government intends for businesses to destroy the contact tracing records after 60 days, the Health Order should state this.

Protecting information through legislation

Whether the data is collected by app or register, when this information is provided to a contact tracer it is likely to be supplemented by a lot of very personal data such as who you have been in contact with to help them do their work. This information will be held in a government database.

This brings us to our next concern. The government has said it will not use this information for police investigation purposes, but similar assurances were given in Singapore and Australia, only to be breached later. In New Zealand the Search & Surveillance Act makes it clear that the information would have to be provided to the Police or the Security Intelligence Service if they met the requirements to get a warrant. 

We strongly believe that the government needs to amend the law to guarantee that the only use which can be made of information gathered using these powers is for controlling the pandemic through contact tracing. It should explicitly prohibit the use of this information for any other purpose. We note that the Privacy Commissioner has also advocated for this (listen to him on Radio New Zealand here).

The Covid-19 pandemic means that we are being asked to trust the government with more power than we feel comfortable with. The government has the resulting responsibility to ensure it only uses those powers for the purpose that they were granted, and to give them up as quickly as possible. The seeming reluctance to do so signals that there is no reciprocation of that trust by the government.

Others share these concerns and we have co-signed an open letter from researcher Dr Andrew Chen calling on the government to take appropriate action to protect our privacy and support the success of our pandemic control.

Three articles worth reading:

• OASIS points out some shortcomings with switching to mandatory sign-in/scanning for the Covid response, and asks how much are we normalising further state surveillance. 
• Andrew Chen looks at some of the practicalities of mandatory sign-n/scanning including privacy and issues for people without devices.
• Andrew Geddis provides a legal analysis.